Cyber Security Awareness

IT Security Awareness Document

This IT Security awareness document is meant for all Mannai employees accessing data and
services on Mannai Network, either remotely or on premise.
This document provides IT Security guidelines that should be adhered by all Mannai employees.

Importance of Security
The internet allows an attacker to attack from anywhere on the planet.
Risks caused by poor security knowledge and practice:
Identity Theft
Monetary Theft
Legal Ramifications (for yourself and companies)

According to www.SANS.org , the top vulnerabilities available for a cyber criminal are:

Web Browser

IM Clients

Web Applications

Excessive User Rights

Leading Threats
Virus
Worm
Social Engineering
Botnets / Zombies

Virus
A virus attaches itself to a program, file, or disk

When the program is executed, the virus activates and replicates

itself

Program
A

The virus may be benign or malignant but executes its payload at

some point (often upon contact)

Extra Code

Viruses result in crashing of computers and loss of data.

infects

Program
B

Worm
Independent program which replicates itself and
sends copies from computer to computer across
network connections. Upon arrival the worm may
be activated to replicate.

Social Engineering
Social engineering manipulates people into performing actions or divulging confidential
information. Similar to a confidence trick or simple fraud, the term applies to the use of deception
to gain information, commit fraud, or access computer systems.

Phone Call:
This is Bob, the
System Admin.
What is your
password?

Email:
ABC Bank has
noticed a
problem with
your account
In Person:
What ethnicity
are you? Your
mothers
maiden name?
and have
some
software
patches..

I have come
to repair your
machine

Botnet
A botnet is a large number of compromised computers that are used to create and send spam or
viruses or flood a network with messages as a denial of service attack. The compromised computers are
called zombies

Phishing = Fake Email

Phishing: a trustworthy entity

asks via e-mail for sensitive
information such as SSN, credit
card numbers, login IDs or
passwords.

Recognizing a break-in or compromise

Symptoms:
Antivirus software detects a problem

Pop-ups suddenly appear (may sell security software)

Disk space disappears
Files or transactions appear that should not be there
System slows down to a crawl
Unusual messages, sounds, or displays on your monitor
Your mouse moves by itself
Your computer shuts down and powers off by itself

Malware Detection
Spyware symptoms:
Changes to your browser homepage/start page
Ending up on a strange site when conducting a search
Mysterious new toolbars that you cannot change
Lots of network activity while not particularly active
Excessive pop-up windows
New icons, programs, favorites which you did not add
Frequent firewall alerts about unknown programs trying to access the Internet
Bad/slow system performance
Puzzling search results

Devices and Files

Only devices owned or approved by MANNAI should be connected to Mannai
Network
PCs must be manually locked when unattended
Important Files related to your Business Unit must be stored on a centralized file server (Not on the
desktop or C:\ drive). If you do not have access to a File Server, please contact IT Helpdesk.

12

Sensitive Data
Users must protect all sensitive data and files (Defined as data, documents, or files)
Data may only be stored on devices owned and approved by Mannai
Must password protected in transit (For example, via e-mail or on any portable device)

13

Physical Security
Lock your workstation when you leave your desk or leave your
laptop/desktop device unattended
Press the Windows Key and L (at the same time)
Or Press Ctrl-Alt-Del and Lock Computer

Store sensitive documents in a secure filing cabinet with restricted

access
Dispose sensitive materials appropriately
Always report incidents and suspicious activities

14

Passwords
Your Password
Your password is also a key. Individuals will try to steal your
passwords if they are in plain sight or easy to determine.
Do not write down your passwords on sticky notes or paper in
plain sight.
Change your passwords frequently and make them hard to
guess.
Use Complex passwords: Password must contain Uppercase
letters, lower case letters, numbers and symbols (!,@,#,$)

15

Password Cracking: Dictionary Attack & Brute force

Pattern

Calculati
on

Result

Time to Guess
(2.6x1018/month)

Personal Info: interests, relatives

20

Manual 5 minutes

Social Engineering

Manual 2 minutes

80,000

< 1 second

American Dictionary
4 chars: lower case alpha

264

5x105

8 chars: lower case alpha

268

2x1011

8 chars: alpha

528

5x1013

8 chars: alphanumeric

628

2x1014

3.4 min.

8 chars alphanumeric +10

728

7x1014

12 min.

8 chars: all keyboard

958

7x1015

2 hours

12 chars: alphanumeric

6212

3x1021

96 years

12 chars: alphanumeric + 10

7212

2x1022

500 years

12 chars: all keyboard

9512

5x1023

16 chars: alphanumeric

6216

5x1028

Threats
Current Threats
The following slides include a few examples of the kinds of threats you may
encounter with suggestions on how you can protect yourself, your data, your
organization and Mannai systems from malicious users/intent.
You Control What You Choose to Click

Most end user threats are targeted specifically with an intent that you will click on a
harmful link, attachment, picture, video or icon in an email or a web page, including
social media applications and news portals.
What you can do STOP, and THINK, BEFORE you CLICK
Your job is to be aware, be alert and diligent. Always look for the signs that external
entities are trying to gain access to your PC, your network and your personal
information. Legal and genuine websites will never ask for your personal information
related to passwords, credit cards, bank account numbers etc.

Email Threats
Phishing, Spoofs, Goofs, Hoaxes, Malware, Scams and Spam
The most prevalent and persistent threats to your security come to you in your Inbox. They
come by different names and may even appear legitimate and even supposedly from
people you may know.

They all have one thing in common: They are designed to get you to click on an item like
an attachment, link or picture.
Result: If you click, you may launch a harmful program or be directed to a harmful web
site. You may then find your personal information compromised and you may subject your
network to malicious software.
Stop: Do not reply. Do not assume the contents in your email are
always safe and genuine.
Think: If you cannot identify the source and attachments as legitimate
or be sure the sender address is safe by looking at the header, you
can logically conclude that you should beware.
Reply: Only after you are completely confident that the action is safe.
18

Be aware of these Email Threats

The From field can be very helpful

One of the easiest way to identify if an email is legitimate or not, is to simply look at the From
field. By doing so, you will be able to tell if the email is from a recognizable sender that is linked
to the actual sender name.

19

Be aware of these Email Threats

Request for personal information

One tactic that is commonly used by Spammers is to alert you that

you must provide and / or update your personal information relating
to an account (e.g. Email password, bank details, credit card
information etc.), and may often claim to be from IT Services of the
Company.
Spammers will use this tactic to drive urgency for someone to click
on a malicious link or download an attachment aimed to infect the
users computer or steal their information. The malicious link will often
divert a user to a fake web page that has been created to harvest
personal information.

20

Be aware of this Email threats

Suspicious attachments
None of the financial organizations will send out attachments via
email, so be careful about opening any from senders or messages
that seem suspicious. These attachments often contain Malicious
Macros designed to infect your computer with a Virus. The Virus
infection often occurs as soon as you open the file document.
High risk attachments file types include: .exe .scr .zip .com .bat

21

Be aware of these Email Threats

Spoofing is when a spammer sends out emails using your email address in the From:
field. The idea is to make it seem like the message is from you in order to trick
people into opening it.

What is email spoofing?

These emails do not originate from Mannai and do not have any contact with the
Mannai Mail system their addresses are just edited to make them appear that
way.

22

Always use secure browser to do online activities.

Frequently delete temp files, cookies, history, saved passwords etc.

Symbol showing
enhanced security

Internet Threats
Unsecure Browsing Can Be Hazardous To Your PC
The Internet is a significant resource for business services. However, some of the same issues
as with email and web browsing can create security issues that you need to be aware of.
Common Threats: On the web, threats come from malicious links. Most of the threats
originate when you click on a link that launches a malicious program or re-directs you to a
dangerous site.
Result: If you click, you may launch harmful programs or be directed to a harmful web site.
You may then find your personal, client, or sensitive business information compromised and
you may subject your PC and network to malicious software.

Stop: Do not automatically click on Internet links until you have confidence in them. This
includes pictures, videos, and navigational elements.

Think: Look at the actual address for the links in question. For instance if the link indicates
Click Here be sure to hover your mouse pointer over the link and investigate the actual
web address before you proceed.

Click: Only after you are completely confident that the web site is safe.

24

Cyber Security User Responsibilities

Stop! and Think (consider appropriateness and risk) before I connect to the
Internet.

Take personal responsibility for security, follow my organizations security policies,

and adhere to sound security practices.

Lock my computer whenever I leave my work area.

Safeguard portable computing equipment when I am in public places.

Create and use strong passwords, and never share my password(s) with anyone.

Never leave a written password (sticky note, etc.) near my computer, or easily
accessible.

Promptly report all security incidents or concerns to my organizations IT security

Team.

Safeguard sensitive data as well as confidential and/or legally protected

(Personally Identifiable Information and project related Information) data from
any inappropriate disclosure.

Work to the best of my ability to keep my organizations staff, property and

information safe and secure.

Spread the message to my friends, co-workers and community about staying

safe online.
25

IT Security Policies
All users are required to adhere to the following Mannai Corporation IT Policies
and Guidelines;
http://mannaiintranet/MWM/mhrd/HR%20Policy/IT%20Policies%20and%20Guidelines%202015.pdf

26

27